diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..e4e58db --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "docker/oxicloud/OxiCloud"] + path = docker/oxicloud/OxiCloud + url = git@github.com:DioCrafts/OxiCloud.git diff --git a/docker/backrest/docker-compose.yml b/docker/backrest/docker-compose.yml new file mode 100644 index 0000000..83451f2 --- /dev/null +++ b/docker/backrest/docker-compose.yml @@ -0,0 +1,19 @@ +--- +services: + backrest: + image: garethgeorge/backrest:v1.11.2 + container_name: backrest + hostname: backrest + volumes: + - ${DATA2BACKUP_DIR:-/mnt/zeruel}:/data2backup + - ${BACKREST_DATA_DIR:-/mnt/zeruel/nas1/shared/backrest/data}:/data + - ${BACKREST_CONFIG_DIR:-/mnt/zeruel/nas1/shared/backrest/config}:/config + - ${BACKREST_CACHE_DIR:-/mnt/zeruel/nas1/shared/backrest}:/cache + environment: + - BACKREST_DATA=/data + - BACKREST_CONFIG=/config/config.json + - XDG_CACHE_HOME=/cache + - TZ=Europe/Madrid + restart: unless-stopped + ports: + - "9898:9898" diff --git a/docker/minecraft/docker-compose.yml b/docker/minecraft/docker-compose.yml new file mode 100644 index 0000000..7d65b94 --- /dev/null +++ b/docker/minecraft/docker-compose.yml @@ -0,0 +1,39 @@ +--- +services: + mc: + image: itzg/minecraft-server:java23-graalvm + restart: unless-stopped + tty: true + stdin_open: true + ports: + - "25565:25565" + environment: + EULA: "TRUE" + MEMORY: ${MEMORY:-"6G"} + TZ: "Europe/Madrid" + VERSION: 1.21.1 + ENABLE_ROLLING_LOGS: true + USE_AIKAR_FLAGS: true + MOTD: "Huesoperrers Minecraft Episodio 3: La venganza de los huesos" + MAX_PLAYERS: 10 + MAX_WORLD_SIZE: 10000 + SEED: huesoperrers3 + MODE: survival + ONLINE_MODE: false + ALLOW_FLIGHT: true + SERVER_NAME: Huesoperrers and co. + PLAYER_IDLE_TIMEOUT: 15 + STOP_SERVER_ANNOUNCE_DELAY: 30 + OPS: ${OPS:-robosap1ens,commandkatt,Malva25} + SYNCHRONIZE: true + MERGE: true + ENFORCE_WHITELIST: true + ENABLE_RCON: false + MAX_TICK_TIME: -1 + USER_API_PROVIDER: ${USER_API_PROVIDER:-playerdb} + DIFFICULTY: ${DIFFICULTY:-normal} + ENABLE_AUTOPAUSE: true + DEBUG_AUTOPAUSE: false + TYPE: NEOFORGE + volumes: + - ${MC_DATA_DIR:-/mnt/zeruel/nas1/shared/mc3}:/data diff --git a/docker/oxicloud/OxiCloud b/docker/oxicloud/OxiCloud new file mode 160000 index 0000000..cf9fe82 --- /dev/null +++ b/docker/oxicloud/OxiCloud @@ -0,0 +1 @@ +Subproject commit cf9fe82b5f72f173d140321448ded789c604989a diff --git a/docker/oxicloud/docker-compose.yml b/docker/oxicloud/docker-compose.yml new file mode 100644 index 0000000..f89895f --- /dev/null +++ b/docker/oxicloud/docker-compose.yml @@ -0,0 +1,22 @@ +--- +services: + oxicloud: + image: git.roboces.dev/catalin/fukuops:oxicloud-0.5.2 + restart: always + ports: + - "8086:8086" + environment: + OXICLOUD_DB_CONNECTION_STRING: ${OXICLOUD_DB_CONNECTION_STRING:-postgres://postgres:postgres@postgres/oxicloud} + OXICLOUD_OIDC_ENABLED: ${OXICLOUD_OIDC_ENABLED:-true} + OXICLOUD_OIDC_ISSUER_URL: ${OXICLOUD_OIDC_ISSUER_URL:-https://auth.fukurokuju.dev/application/o/ganymede/} + OXICLOUD_OIDC_CLIENT_ID: ${OXICLOUD_OIDC_CLIENT_ID} + OXICLOUD_OIDC_CLIENT_SECRET: ${OXICLOUD_OIDC_CLIENT_SECRET} + OXICLOUD_OIDC_REDIRECT_URI: ${OXICLOUD_OIDC_REDIRECT_URI:-https://cloud.roboces.dev/api/auth/oidc/callback} + OXICLOUD_OIDC_FRONTEND_URL: ${OXICLOUD_OIDC_FRONTEND_URL:-https://cloud.roboces.dev} + OXICLOUD_OIDC_ADMIN_GROUPS: ${OXICLOUD_OIDC_ADMIN_GROUPS:-""} + OXICLOUD_OIDC_SCOPES: ${OXICLOUD_OIDC_SCOPES:-offline_access openid profile email} + OXICLOUD_OIDC_PROVIDER_NAME: ${OXICLOUD_OIDC_PROVIDER_NAME:-Authentik} + OXICLOUD_OIDC_AUTO_PROVISION: ${OXICLOUD_OIDC_AUTO_PROVISION:-true} + RUST_LOG: debug + volumes: + - ${OXICLOUD_DATA_VOLUME:-/mnt/zeruel/nas1/shared/storage/data}:/app/storage diff --git a/docker/oxicloud/sample.env b/docker/oxicloud/sample.env new file mode 100644 index 0000000..032e2f8 --- /dev/null +++ b/docker/oxicloud/sample.env @@ -0,0 +1,10 @@ +OXICLOUD_DB_CONNECTION_STRING= +OXICLOUD_OIDC_ENABLED= +OXICLOUD_OIDC_ISSUER_URL= +OXICLOUD_OIDC_CLIENT_ID= +OXICLOUD_OIDC_CLIENT_SECRET= +OXICLOUD_OIDC_REDIRECT_URI= +OXICLOUD_OIDC_FRONTEND_URL= +OXICLOUD_OIDC_ADMIN_GROUPS="" +OXICLOUD_OIDC_PROVIDER_NAME= +OXICLOUD_OIDC_SCOPES=offline_access openid profile email diff --git a/docker/rustical/docker-compose.yml b/docker/rustical/docker-compose.yml index 47a847b..9bb09f3 100644 --- a/docker/rustical/docker-compose.yml +++ b/docker/rustical/docker-compose.yml @@ -2,6 +2,7 @@ services: rustical: image: ghcr.io/lennart-k/rustical:0.12.9 + restart: unless-stopped ports: - '4000:4000' volumes: diff --git a/k8s/argo-apps/authentik.yaml b/k8s/argo-apps/authentik.yaml index fc44e71..1c9e424 100644 --- a/k8s/argo-apps/authentik.yaml +++ b/k8s/argo-apps/authentik.yaml @@ -26,7 +26,7 @@ spec: timeout: 30 from: auth@fukurokuju.dev postgresql: - host: psql15-postgres.apps-fuku.svc.cluster.local + host: 192.168.1.3 port: 5432 name: auth user: file:///authentik-creds/pg_username diff --git a/k8s/argo-apps/kubetail.yaml b/k8s/argo-apps/kubetail.yaml deleted file mode 100644 index 0a6db1f..0000000 --- a/k8s/argo-apps/kubetail.yaml +++ /dev/null @@ -1,38 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: kubetail - namespace: argocd -spec: - destination: - name: '' - namespace: apps-fuku - server: https://kubernetes.default.svc - sources: - - chart: kubetail - repoURL: https://kubetail-org.github.io/helm-charts/ - targetRevision: 0.18.0 - helm: - valuesObject: - kubetail: - dashboard: - ingress: - enabled: true - className: traefik - tls: [] - rules: - - host: logs.fuku - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: kubetail-dashboard - port: - number: 8080 - - project: fuku - syncPolicy: - automated: {} diff --git a/k8s/argo-apps/psql.yaml b/k8s/argo-apps/psql.yaml deleted file mode 100644 index 96bf839..0000000 --- a/k8s/argo-apps/psql.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: psql15 - namespace: argocd -spec: - destination: - namespace: apps-fuku - server: 'https://kubernetes.default.svc' - sources: - - chart: postgres - targetRevision: 1.3.6 - repoURL: https://groundhog2k.github.io/helm-charts/ - helm: - valuesObject: - service: - type: LoadBalancer - storage: - accessModes: - - ReadWriteMany - className: truenas-nfs-csi - requestedSize: 150Gi - project: fuku - syncPolicy: - automated: {} diff --git a/k8s/argo-apps/pulse.yaml b/k8s/argo-apps/pulse.yaml deleted file mode 100644 index aa2dd3f..0000000 --- a/k8s/argo-apps/pulse.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: pulse - namespace: argocd -spec: - destination: - name: '' - namespace: apps-fuku - server: https://kubernetes.default.svc - project: fuku - syncPolicy: - automated: {} - sources: - - repoURL: https://rcourtman.github.io/Pulse - chart: pulse - targetRevision: 5.1.* - helm: - valuesObject: - persistence: - enabled: true - size: 10Gi - storageClass: truenas-nfs-csi - accessModes: - - ReadWriteMany - service: - type: LoadBalancer - ingress: - enabled: true - hosts: - - host: pulse.fukurokuju.dev - paths: - - path: / - pathType: Prefix - tls: [] - monitoring: - serviceMonitor: - enabled: true - - - path: k8s/services/pulse - repoURL: https://git.roboces.dev/catalin/fukuops.git - targetRevision: main diff --git a/k8s/argo-apps/redis.yaml b/k8s/argo-apps/redis.yaml deleted file mode 100644 index 698214d..0000000 --- a/k8s/argo-apps/redis.yaml +++ /dev/null @@ -1,32 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: redis - namespace: argocd -spec: - destination: - name: '' - namespace: apps-fuku - server: https://kubernetes.default.svc - sources: - - chart: redis - repoURL: registry-1.docker.io/cloudpirates - targetRevision: "0.9.*" - helm: - valuesObject: - auth: - existingSecret: secrets-redis - existingSecretPasswordKey: redis-password - persistence: - storageClass: truenas-nfs-csi - size: 10Gi - accessMode: ReadWriteMany - service: - type: LoadBalancer - - repoURL: https://git.roboces.dev/catalin/fukuops.git - path: k8s/services/redis - targetRevision: main - project: fuku - syncPolicy: - automated: {} diff --git a/k8s/argo-apps/renovate.yaml b/k8s/argo-apps/renovate.yaml index 1e7d109..a8e4be5 100644 --- a/k8s/argo-apps/renovate.yaml +++ b/k8s/argo-apps/renovate.yaml @@ -13,7 +13,7 @@ spec: sources: - chart: renovate repoURL: https://docs.renovatebot.com/helm-charts - targetRevision: 46.57.* + targetRevision: 46.58.* helm: valuesObject: renovate: diff --git a/k8s/argo-apps/vaultwarden-secrets-manager.yaml b/k8s/argo-apps/vaultwarden-secrets-manager.yaml new file mode 100644 index 0000000..e2fc9d9 --- /dev/null +++ b/k8s/argo-apps/vaultwarden-secrets-manager.yaml @@ -0,0 +1,64 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vaultwarden-secrets-manager + namespace: argocd +spec: + destination: + name: '' + namespace: apps-fuku + server: https://kubernetes.default.svc + sources: + - chart: vaultwarden-kubernetes-secrets + repoURL: ghcr.io/antoniolago/charts + targetRevision: 1.2.8 + helm: + valuesObject: + api: + enabled: true + service: + type: LoadBalancer + persistence: + storageClass: truenas-nfs-csi + dashboard: + enabled: true + service: + type: LoadBalancer + ingress: + enabled: true + className: traefik + hosts: + - host: vault-secrets.fuku + paths: + - path: / + pathType: Prefix + backend: dashboard + port: 80 + - path: /api + pathType: Prefix + backend: api + port: 8080 + env: + config: + VAULTWARDEN__SERVERURL: "https://vault.roboces.dev" + secrets: + BW_CLIENTID: + secretName: "vaultwarden-kubernetes-secrets" + secretKey: "BW_CLIENTID" + BW_CLIENTSECRET: + secretName: "vaultwarden-kubernetes-secrets" + secretKey: "BW_CLIENTSECRET" + VAULTWARDEN__MASTERPASSWORD: + secretName: "vaultwarden-kubernetes-secrets" + secretKey: "VAULTWARDEN__MASTERPASSWORD" + - path: k8s/services/vaultwarden-kubernetes-secrets + repoURL: https://git.roboces.dev/catalin/fukuops.git + targetRevision: main + project: fuku + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/k8s/services/argo/project-fuku.yaml b/k8s/services/argo/project-fuku.yaml index ead0d89..6f03737 100644 --- a/k8s/services/argo/project-fuku.yaml +++ b/k8s/services/argo/project-fuku.yaml @@ -33,3 +33,4 @@ spec: - https://vmware-tanzu.github.io/helm-charts/ - https://helm.runix.net - https://rcourtman.github.io/Pulse + - ghcr.io/antoniolago/charts diff --git a/k8s/services/forgejo/sealedsecrets.yaml b/k8s/services/forgejo/sealedsecrets.yaml index 8c2f780..8a48da7 100644 --- a/k8s/services/forgejo/sealedsecrets.yaml +++ b/k8s/services/forgejo/sealedsecrets.yaml @@ -102,17 +102,15 @@ spec: apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: - creationTimestamp: null name: gitea-ini-redis namespace: apps-roboces spec: encryptedData: - cache: AgAd4e8faLRBWaHzBxEF8VQbPQ1Kg6d4jfSwesrdJVijhmvE+ruGfbiwL0FXhn0XLfVAB1f99+Wvus93fOwfeh3RA95L1AZK/7+QntNHQe6LP2+ydZaPQfAOdkQBf+7ZQG04QiTqr3Ckkh3eNIvAyFMIrmaYf9qY5BwVMYrjg8iNi0jRgfgSBm5w3Dd3V0G3ry3yI4aawQN7pj9PuhA3pSqq3ynK4qXdf/6nEqvA5+7m/Ys0xWSOJwAgWHUVT2KLQ7rvI4y1TiCciWEpFvhIbwtE+bc+lOARJBBUCmRcDKOD5N3qXYX4846XUTTm3W8LhO7e9cIE0saPsPkS/qKkMgW51hh2r70hgTKi9/174I6tVYU4t208UScrNlF3AkGqHzXsisI8Yw28OApLrwxkFbh/y9zbci/KmQGpw2RZYdFeXuS1RGzGDDaiCwZIUONChchAPxb0PGpDZpGrW/MOAdJFj700YW+Abzihr0GV0bSnKHf/uYdXn+3+Oz2Uk35B+Vwc+tqKCHpSzoa4SRNlwGlQ71ysEKx6zUmcPEalqKnNHMmVOocRuQuxGnRasj62tNwZmg9hC/1IriMEJJkdEcymlo7pQqQ8YXmkKAUu3w69S5v9LKBG/DGzhxUagqhErM8KSMOjXmfoNIZEVE3ey9sUDtRZTnLgDj2rl9avAAnGo7+qF6etPNuKGFknK+xTegy3DwyzBEjXzgNaKhkBqvDS+Iggko+CEspBdUqerjIydU2dXwdiY2t+wm5gztDAimROvgouW5GqwUFK50s4tcSJjvsiw4OsOBZp6r/61lejlggk - queue: AgC2LtW2jJPhh062ezMvWLLIAlyUNYO084VrSHsJ/K9UvZNVhFc6CnUrgcrvT/AIQflMYTm4RHKJgt4P5slzmKzHT/hc8RqB3L5FIhBsnmy/w55bXkrsohwcwzmw867a7bmnbAlyUglsAkKraMSpasTW4rOiMoCwXYKVtGcsDn1JLUj9Hp62BPXkQJ1Cr36lK/6Z4dHUwStVmq+wYAnm9sp1axnlwAqPgZ3mfqndKh9qZYjI2CIMuQ46HFDiwZGUSgspaVezMb7nkCk9CaoUTi1zHxsbCBMVv/abdvTPmZjqgXzR88EsAGTZMSpljc2ZB8zU9zwkkEBA5TPV4kVUNHTpDJirFvlofc7gST7CkCeoBhQ6P+vgokPa2AhcWeXVgR0PUoecpqpIqdFkAOluS7Gcu3GNu43IRzR6+9oHgbL/SHebQvK/hzVVq3yGAKaGmIXTLJS1wMm4k2KBqqaT1MpWFwO4YowRuKrOMXf634WzPsU3zOpkSbHEke6vvU2glDEdSwOGs1zPbO6Xzhqj5kTtDIiCs70mnxk1Zwve/1kYhBE/JZTi6QcQbG1uEDq8bsygj1qJZbGQMekUHQzIIfGTeOuXfoBch77MEMHu4h/2F+IC5O487FiPrQ64uBZ4I6gRM1PsiPxWnvmtNEXtLt+mMNp+l8Uuk5mvET5i0RpIH62/JYinhheDNgxwubXVEFuUClSzXomNt3GWy0KNAWsxouZEh0CQDfxmw4lTnjPcGegcZtrIqncDpe6/6gTIblOs7L41LEkOyOmBSHROQBeA11fVvE4Y - session: AgAwlEuCZq+5T0AXDJ8PXllX5lzaiBK0nlZsMlvJQKl+FNgGhuZkqZhQQSPq53W9KlJbVkRr5KFAkLY0p0CznGoI2xPaxbZ3z6c/kVU1mBqmTOF8HJ2oKBhjRKaZhlwFARpbgrqYkZRS5syb6SwtNT48NPuTKwRgzu3xxwUBkfuyHxZX4IP7/9GtEAWK1nqYXU3rxLYbRq/utSuQYnOd3Uu3ZYjQZz0din0R8VTHp01STMHgGzbX08PEwz2JH/C4Q6CUC/GcXSgSajg0PJECbibGoGEJXTVT1HWucWH7B0CQSAMYzosqPZV3JwTN+4HESZ2H9YBRHbGWpp5KGBicT+rleQ36+jva6qWmwfcXXZgsYDUCx+kb8e+b7cBZhPHDf9w9ZEzXe2OUUoKZQBt5LbjTSRtt//PhWQy16mxi0996zGAWUwshVefWsbdSFZiKOI+lL/i0yVZUn3R/olmP7de9b4iapZ7TUzvovm7ZTFU+5SgCLRk125NJNoUXdrh7Y1Hym8xlMSnajHGDjuMxrwtAU/Nq7JN9WQr5XFSEdiuP38sLdQzHdXaht4lXJn5KUf8H55ie0JNVvspwtZ2fQGo/dJXBf9EMa6s6qW/Lf9O2JVU/0sSCAl/jz2tMI9VZ4scHzOlpscmKyBFcoGFb7JtYzkPTCQn7Hz7RlgUeLLir6D6+q3vLXrz+oMbwNChlENlBS1M1Ho1BKwZgBRj75nog3k5EOEi3ym6B/g3xc2YWnlZkL+ZM0TFuTFy2y36RMKb90744tAVXNXHaVz0i85ATJJ8Vs/OogMDN8yKHBPaqlZQ= + cache: AgBfhhRVgy0VonwvXF+qqhh1x9+Z1e0o/OJCI11srR6XLVCf+SIBejOSYyoYChS8HYgBdIuqKNS7Un5bdws5NF1HC0gbf8/XRCfivocceoXVta2MugJxz7Y0+9Ro3RH9uEKi6KVqAyHcev1oOW0eqmkNqHust06+VKa5Bw8F4NHa/3a1Rl9b9xaMwrJLxVMKZMyAIl2/WISUovKFPTjPU1HK9ftEaXwzj5HG/s2jm/MjrrvcoA5z1OGUm02xjqyooUNM6gsuNy8LTXDQybeav+PxlQztcOfNaqipTUkHLjmGWiste/Yl6ik05Dkh7BKmL2czY0KPhxtNGcUq4e2oE+b6DKGcJpbuSVxZLSqTKhg6Jing1GwNyembfRE3nwsvYgj9nzit1SZoQXWnIuBjxlfWGjGJeaj6PmcG1YK4wvwFFqBKIhUGH6fhWjxDl7y1FPsxxGvFg9Fnvcjex34K4J6UmnGO3G2Dts/V4pgJTGx5lp6wpvYVtr7U9ENRTym8GM5oVZ3DT0lONKcfZXRH4EDcMHKMfJ/nDnpQWJC+lihcTRVeSznxu8I073hk6MMAZ8Ho5/28rOCOdJc2HI807ipe39BzTn4U+ows34uFG55GgaTdfbbeFwLjrcVc9ht1WaApkdj8Bnt9inmFPsI14Zwb4Ap/gSSO+ztwhnwrA2rWD7fko53INLJLUb4/49H1xRpMeqEkjoUb76zpdnazuF0ksqs1zhPOUTpnQniduotkwZZrtdU2WPRxVzHXTaZD6/1oTrmFBoBOLnkBPz1CXY/rxMoxHrFoS3zdUtLYWXKqVZy5 + queue: AgC1CxaTdBFeP3M4x8TMJKK2QsWydXC/eAslML9T1yzl4ZStKioMh8QJKbhj6oY3KTLyqBHpLZSGFuhtX/y9Z4JvkFhihfsKtlYL8OrNvO3kxjzku5l3vR6tJ5vCQfIi27hUjVKHN4L/6DGsegbgBGIidCsN5kHRv4C5ToAw/EvxgbHIRILIo+KOBALT1kqKIF+Zdd4fQGbIExwclhFl5SgzumXPh+/j1NUZ1peYYFRnvr5G9aeKPpgJ2wK4eMPQ3ZyaAcRCtxdEhZUF1DF0ESBQ++Nr/gU4GMoron/wSr5cUFmNjSoUTJA3xJeEROyoSGaaH45mLDYH5QZdeA/av8e6vaiMIuWr/UgV7wONFKsJLf0q9Fcr726maJwGiMmIjeCwLq4k+ZI+N6S8/xNe2sTrRUmwjWtbL82ZmafvoUwv0lmxxXpmFqZmG/Zy/KCx9QSDaBJBCStoCgMZZ04HdnxnxFdFj2DMXyshVxH3wqEFAKY0oDfrnIBxzngOEXxu0APp7rlMvFq++HMJ7+JC+JBLG6zfNSfpQyuXEwfSkvowA1i9uhAQVb3D7nSS39xKF7oK8aYDVK4j9QL3w9qxOkYW7bHVd4zDgtiidKDAFWoloMnjPYQDwJojc/dc52+SxJGH8qpYJ8cn7BOy80cvmkwQ2ITGGPo9FXyvMttD0hUmFRouNb4t4PHdmKauuml6hcfF3dqLqrvBhJ0H7tKRJMCK+rHehIQt8VNPhp2JN7n5/KKt5vtMFDUDpc/BbHiDqg3qnICTMESzWZD752tOucW7TJAA89JU + session: AgA+o9DsObwNhAaDpkgh7ZJ9Vx+xzjex+JG2k4yfv1EbLFDpdrSnKOl5BzEZyvydxoWG7Jtlhf/QoWKPUMBMgoRS+cMAH4R3C1FHxFbiEzh/olQBH2DyGnK5d+hAy3RmTC+Kgwgh4sdePWJ3KxwbaAa18tsju9fThQOBD+TOw5khZi2YUehDiviqCV3VGH+caJgDxAmXtut1mHaFLB4QXLzX9vPoULGmxGMARiMSrEqMruTRff17dZ3s0VPeu/s/Lau5yP7oPeMjhNw8P9W8QP/KnW28y0QETtXZyvmNQGCwxyVp7sHfDgo1slxWsgjDpep/jXiyfVeV8KL2AWE2pekGD0CVaCWPOV/MOrU+pe8xBrEcaXQMpWLT5d4/Unu8TLZ7RdEdgrOI8bOVrl9TO51itw0V7EorfeaKxB6j/flRMd8vU0i29+/UOTbEeRtxuHoyH4zy+v7h49b5ODN88z7f6uEp7diuS3WEHs30EHYtXRSMA6V6+H1aaUMEM0lWG6CXtccgAToqlw3k/+Mod8kVagPNQnJ6YB7BFqu74nHo/3lGKHT6+jRfLWUhbJ5teG0pLTutNN0jIqEUY4NfeLVtKhab5Nkxr6UFSUltQwO/dwVD2mqC80yXjf1Bhq07YGIV/M5DYf7oV1+z6UWoQwALcjCdZNgPkbyGqznfGsBpafJwv3MCmZwt50r8FH4ksb8P8lo28Eqepcf+vVL6C+tJGwm3F0CbawhU9mTLb0ksiYXrY3VYmYzUZVWHsosWI05bhQgN2g+B4+ANYX0SXtEc0/YbD8HusQvnoXWbj3CkQd0= template: metadata: - creationTimestamp: null name: gitea-ini-redis namespace: apps-roboces type: Opaque @@ -120,15 +118,13 @@ spec: apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: - creationTimestamp: null name: secrets-forgejo-db namespace: apps-roboces spec: encryptedData: - database: AgCPUgtry8Pctkfr+pQvJ8TQpj2YJ9TwUBaRXo7JP4MMsWOXazfVxd8A7sqnNicpmXJ5hx3OMwfxTFg3KcyGWGbTxTGkwJj0Lxwo92sDxhd59NORadlqQYOx19z8foQ+3HSdkhPAEAHzNq2IBgUcTPRZTKuAXyIsrSVbgaAEwWz8fCkwP/CEJvgC7xztQA0MzrPagH2hlbD4MZ0E7mBhrpo9YTQfvSEDQo0dNKsh/4xvXQoriayDtxoRq2mF8jc3f4f6wmbNWrGsdOv84KAXgLm7bzmffTwqCM1dTbuOCLtxvt1M5r39HQTAsBp1H5yWCFsx4paWyhdVh9t3sjDzEYZNYSLrga/bLJ2+CaQWaLpLJBC9u8r4ANHs+KqwdiMyo1RXqlJsfg1gn/udBpXelzpwtWIWIMtsvNrWxOBhOFsWCFnVvxJWwdcxLoe5wmH75OhbP6Ewl7SddL/4kyXqgZfQi1DsbK5VftWdo7aDEVrwTa4Jq4WF7TbTX9GwIxUQ6ahuBzq4De+vZ/jCV0rE7WtGBvxLHIXb6pX7sNsJFwGYvy63SIhWnQXadeTjLNdy3Tq9aK/HeQJsqXPOAAm/oc2udBkygWs2D77NM0wEcH0YU8i0wPS5ig6HxLQTrf0qLew3E8KOjNyetar1QHVl3iTqGQ0C4U5TgIke54eh8/X1Vgd11dgZBpRx8JsUWMe7Itm+819FB+0tMwWJqrmoFyCEBL7rLl+VAS+oabIXD/ruHJFc/blgtLRqatLtOTARqDsfVK9Bm0YpcsDjEbqAiRGHmOaK8Qp9ywle9sh+iVUG4ODFun2goVfgwYcsD62B7CUMb80ZYiY04dTmXjcIzYww+zGkjhqaIPmB/OHovw== + database: AgBouV3XhCd3Z66sDHDz0nbqbvAfip94yr9R90stLz2H/vJFGyx4xumE/9xe3b5GUd9aYQbTonhzHFl+zP3yoeTsGIGAbuvpeDimDKUIdnI6MJ2oGVHSn08QY/eu2vuj4nUODCeWPE7W5EFqxCxCq1YxZZpoBLzE3zBuIf8R48KAxs7aau8k4WPPSBxHgXuIeUWR/fNtQrA032f1wS5p6bae8403ro4aithq7J6DiOz69MXIQWwqufay+krsEEqIoE8CioQP993w+AUH1q2tk6O7WQLuzKt4T0mZm6F3cWyNbpCV9GT7q5LtejFn1NAwsmM4UG2toZfuWe9NgiSwyqNNUW7IjzfW/+CF3UfAtkgDfn7IAFu1Wg0yzufsnJuazFy2FiVDYNiHYS3Rq1iboKQl84svuq6oYdgvK6kf4IUfU2j02TgCyYc79/sLFqlbLOsZI07fAg/tDIzRkWQyG5P1HreIiDYZdgm50BgAzyEsvLjguKqPUl/c0LLwS6IxleN6RgcxfczCnaf3lezPXol37qCcyTqCqyiYlpI0i0Y45RTpLmTlyATVpzXCiir3IM0yEbK0ff2y2c7czTdoQSaIowAguUD3SamNY5y3530ZQDbZAXF0U4nDq7Pn59tfrlvvlsA8cSGjgyjwGJobGJUCsGWfOtKSbTNV0zd6EFHlqN5ilf15BSaWXU+6g/UbJKxjgk5aNpXH8LHuAQBVAxpRQR6CNlaz6kp87b5CEnLtPCE9nlQGYBXA9sqdvABGSTGdJzf5k57w7Q5LiTLwA6h8x8TCbkRgArl4r5RGEdtfBr3ZBCzKL+EHJGYGHas= template: metadata: - creationTimestamp: null name: secrets-forgejo-db namespace: apps-roboces type: Opaque diff --git a/k8s/services/pulse/ds.yaml b/k8s/services/pulse/ds.yaml deleted file mode 100644 index 8247d97..0000000 --- a/k8s/services/pulse/ds.yaml +++ /dev/null @@ -1,105 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: pulse-agent - namespace: apps-fuku ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: pulse-agent-read -rules: - - apiGroups: [""] - resources: ["nodes", "pods"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: pulse-agent-read -subjects: - - kind: ServiceAccount - name: pulse-agent - namespace: apps-fuku -roleRef: - kind: ClusterRole - name: pulse-agent-read - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: pulse-agent - namespace: apps-fuku -spec: - selector: - matchLabels: - app: pulse-agent - template: - metadata: - labels: - app: pulse-agent - spec: - serviceAccountName: pulse-agent - containers: - - name: pulse-agent - image: rcourtman/pulse:5.1.13 - command: ["/opt/pulse/bin/pulse-agent-linux-amd64"] - args: - - --enable-kubernetes - env: - - name: PULSE_URL - value: "https://pulse.fukurokuju.dev" - - name: PULSE_TOKEN - valueFrom: - secretKeyRef: - name: pulse-agent-secrets - key: PULSE_TOKEN - - name: PULSE_AGENT_ID - value: "k8s-cluster" - - name: PULSE_ENABLE_HOST - value: "true" - - name: HOST_PROC - value: "/host/proc" - - name: HOST_SYS - value: "/host/sys" - - name: HOST_ETC - value: "/host/etc" - - name: PULSE_KUBE_INCLUDE_ALL_PODS - value: "true" - - name: PULSE_KUBE_INCLUDE_ALL_DEPLOYMENTS - value: "true" - securityContext: - privileged: true - resources: - requests: - cpu: 50m - memory: 128Mi - limits: - memory: 512Mi - volumeMounts: - - name: host-proc - mountPath: /host/proc - readOnly: true - - name: host-sys - mountPath: /host/sys - readOnly: true - - name: host-root - mountPath: /host/root - readOnly: true - volumes: - - name: host-proc - hostPath: - path: /proc - - name: host-sys - hostPath: - path: /sys - - name: host-root - hostPath: - path: / - tolerations: - - operator: Exists diff --git a/k8s/services/pulse/sealedsecrets.yaml b/k8s/services/pulse/sealedsecrets.yaml deleted file mode 100644 index 0cade5d..0000000 --- a/k8s/services/pulse/sealedsecrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# yamllint disable rule:line-length ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - creationTimestamp: null - name: pulse-agent-secrets - namespace: apps-fuku -spec: - encryptedData: - PULSE_TOKEN: AgBBxrJ80IpJ0RvYKQuN6p3G8vIdSL9nESO9OTAR0NiMjSGZNbNEELKE/a1f2ixQUSsNc/k31c+7GlAi+8PmNC4c7rmRJTe+z3uO/BNNLYeTi7DsEk9/oJZTWn7iOcLogiZJQKxbGozCp/S8zrWisH67N2ZHmzz5UEJAzq57+fBEyAk22/WR0QMfW3oOYHGZFNR5AdAxrdfyRwTvSEOz4R2YlrQKRtOFVIPG/aEaAn42AGYfrq2cLVEiCygjE+8nZQ62TMmQqMiwiCjk5do9uRhhiRimuD78FrNnFU5dSwe/11ji5sSrEPjszPB8O0TBbsCssxfz48cKRm/6IdI9B5pKHYob68Ed8u5UgpRU/ZhUWJLyXuZF/Tgw+WcIsVkQXb3eqQTARBeZueugnA23lnzxh5gjR17wjPw7ePYaLiUWTYikOK5HvgpJyiuB0ev2cjGSqYeeAAn5ewCGM/NODXUAlFdC+N9S7ft1+chJrHoaXgHy8J9LWm/maKW99+yT08a68RvGGoZtFPZNlFjzurNF6EY9SLUFf0RLzShkyq6uuOzLm8gENyDIQ+Ru7wWEwyEcUz4ceAR5I78k0gCIDR1o4Ti22asdbRjMptZdOTbep+PWmu2K1oUvxXtXwgKkn8pvTkJpcdejqehnYPWfRAI3Guxi7LQDf++yShKS1NdXMdjhtFoNLa03xHM/G94sF3/mnJwivNhur1V7iC1yCY5NlruPr4KCd5AgOnKqoreRRvRbCVlFO1mtP6XV4sjqEIhmZyXWFJ76bwAC+hxSlFzL - template: - metadata: - creationTimestamp: null - name: pulse-agent-secrets - namespace: apps-fuku - type: Opaque diff --git a/k8s/services/redis/sealedsecrets.yaml b/k8s/services/redis/sealedsecrets.yaml deleted file mode 100644 index f92c67f..0000000 --- a/k8s/services/redis/sealedsecrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# yamllint disable rule:line-length ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - creationTimestamp: null - name: secrets-redis - namespace: apps-fuku -spec: - encryptedData: - redis-password: AgBqJ2pqIbdtOtbGnmalrdzSEZYBDhkyhZNv3fEsgLmvZ55ehXreELEZGKcOCqgVKCQZnfLTA7X4vyR6oZVhSdvcJeULmHrmO7ynItoyowvmY5njE7jTWTsSKypCXJXS0u81TD8+sF0DCRrALo4fzCfyxHWg2x7qyVOllOfhaWpggFsqqn7fMLUdhumnW2C5bEj2x/8PkW4aLI86osjKlwDiMXTE6nULQ4Fx76zzjuhCDLN0RGG4xTqVzDcbt+F7cpULyTJ9Kvq53UPMMaCq0huIkU/JYmAHMUcXF2Q1HUdh/K/R0KYqhlEN7t9JPJgsi7s7IKpp0EFRHOfvkZAm5bAqG34q0p/1Hce+0ifOZsQYp4nmj/1uEGshXhWETSI7mAw/sEdG+uJvLP6Sz7KkaLXhV8tGHfyXqwNyo+jV6JqIsynOY5UZc8zN170nQXwM5KzQyIsNz1yjDFGBIC4y/gjwaDXioaMGVg+PRxFEUAahssdPPZ8ug3M8EaqqgPlHTye+LwHDVDJZAWmnYJ6ajYWGqeCx7pKw2+vhr8V4ToSyG3hsPEbREwVSO50fKOL/MelRC24Rrzv8uthtHjHniLt1DJzPkXJUAnMaV4UsJ21Ge5PQo7Op0G/RNSnka2LAt3I6CVbUb0UoBhSNPmDVD5/0pn5oM/PSd0oqszUsFdxoIOpCIt3ReZUD6eHOlcuK8H65nwsb7Cbyde8a8GTD9q7SoDo2IQ== - template: - metadata: - creationTimestamp: null - name: secrets-redis - namespace: apps-fuku - type: Opaque diff --git a/k8s/services/valheim/sealedsecrets.yaml b/k8s/services/valheim/sealedsecrets.yaml deleted file mode 100644 index ad59cb1..0000000 --- a/k8s/services/valheim/sealedsecrets.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# yamllint disable rule:line-length ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - creationTimestamp: null - name: valheim-secrets - namespace: apps-fuku -spec: - encryptedData: - server-password: AgBsm7Qg9ej7FtFh5twb4ALyL0I/fzVukURvFg17aweeDX7bM/9p/Yq7S2XG8gbqOYbC1GxknGMHQUnTXqXC9YZ4tZVUAptTCrAsPZHhHiet8bM39KCo2tGa5mCyC7lcmxae26cHuKj8Df6iMQCHL9ZH58A2SU8OIaszkonjwvSnbk6u7/HLCE8UyqP1JjXBMd4wx4BFDrhbauZr10f51tI55ksY+x44QQNrz84QEXmQ/dgwdzGAWqcPQTf57BebSI+ZKtUIvrMpNtz1ioqGnH3vWlb7QnqyqcyAYri3W3j8DB03EpfI2QjYi5Rs1NaJoO8L5HFdHW5p+rmttuwRxiEUPmURftH25o6Mgv/EcWGsB1TpyyFXM8JNU01lWJ+Wty316YF1BV3zHqdQeKu82R/wSv+iVm1dYKTfSOLe3YJr+aFnhYX3hCpBup1cB2KeOe/X9wTo2ETdvKhcIJPz8x7TRcXaCerVmVBw6LagmmdtMsCL4AIXw2gdkBeGONQmOzR1hDyTBAmpTv59WYzAJcCPZRE6gGxCPqH32G36E7WGEI4UOsjvT3GkVDnYx4FUDppzSP0ebnHZOwwAPFtXojHUaHg7ZTjZiuXDQa9Hkqt4mIOKa0i1HI0MyPu8eZJjoRXNS4j1yLfDCP2eSuhGjtVNbbyQthaITolitZ0VeUU8St1iKB7rvAGHqhBoPSw9TOBVSsBcHgIAV64oRqto4kM8 - template: - metadata: - creationTimestamp: null - name: valheim-secrets - namespace: apps-fuku diff --git a/k8s/services/vaultwarden-kubernetes-secrets/sealedsecrets.yaml b/k8s/services/vaultwarden-kubernetes-secrets/sealedsecrets.yaml new file mode 100644 index 0000000..a8f2585 --- /dev/null +++ b/k8s/services/vaultwarden-kubernetes-secrets/sealedsecrets.yaml @@ -0,0 +1,17 @@ +# yamllint disable rule:line-length +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: vaultwarden-kubernetes-secrets + namespace: apps-fuku +spec: + encryptedData: + BW_CLIENTID: AgB6UpzjiBqifwHwm4YfevKVQLTt/2JxrTdJ0O29i416TrvPvYlrofG6ihWQDIr7zAROq5RE1YI1mFdczzcHTccMV+/rPPBTY04rdkoypc17/+P5eVLO03dcSldhbcgiMJQYgji+U59SFebPxxPI9gn6GmOss368Wqgdffu/d7V6RtvBNN+qgIu1FjS26FYxKRKi/mEjPmF6GCkkWRHkkpimdjKalVkuQXiu04cwDTSRYNmgePv5ihem/5tP7ZqgQCFpYafpia6CnQwhHNoPP4Dq+cV5VVPw7AfVdm28HgFLiZhiUWXoGiiFvTZcDwViG4T80gqxtfN/2ur94V7zc/PTGXSsVWBJYM93/jf3zcK7h5wag0nXeYm7nD+NT1JM/2NZguqLVl3iX4qE+f0C83dPTUrBv8+9H3aw0YLI/zgnT8Fdg6VAdbGrXMXrTEqm2IChRZ65/WIgwaRWIH+ETsWPFqUj3mH9Cx8NkNNSRfTqmZS28VEfcCzutSgTJ4zs2VwTYDBBD1QQSMrhUSLrCihWLK3ZTjVTEwAaoUObnaFrYpNBGVZQne9zzWO38/y4NQ2D1Q1YTx0cBP8qcKit9v1GFmOcNDsVG1WCFkZh0qz4j37SOBH0J00sG1lwGvkb05pOjcGVUexjzvHloUjSauFypW+2XQqnVshMbNgKgZYZmZmWbHf8nyq7+wssivbjB5qX5foiCN/Qp2WtIG92k08ZU1+hTq/w/GX8DI/UsbSLU7p/0vpAKMDBuw== + BW_CLIENTSECRET: AgBfsr/ECO+lxSojrp1Ailv7SOYMqtGzmQCmXI3g7+K0W+RT7dOHuZOk7VlvYG5l4qVjriXhMo1xGcGYf8WeAebx+OWTs9Y9sRQ7eGnQW/KD7ihV3vCy2+jEdWZas9wEN1coUUt7Lbg09jz+nrt8Di2xFigJWSjuWejyAwmnRC0O0gLSudidf2x1aTeclid1tFvubbKbYUrLbTCLPW1bDuDs8BseRX6sF8/CVR1ZKWbcADUYvP7Amygc4WMElRREMQJjKBiPYNA4OuepvpQDlNVz/wq499XJAnFMDP8BhKxYalwOqTYzWQT0DA4mwBokMnpRE0VJ3erAAKQwzDHqO8pFE5bqhgzjwTWryH0ZmRF96JVLxx5IMetb8jYEPAHA/ymz9GmSUyVDXDRoeyH2xM4vuD/6A2JXc6kgcpfRx+5UJUybajO7urvHBCS/5X5cEiEOyEtqPMqkRdv2LgN1wXMEU88eK2NqpVX7zhLIJgoMusdHtkDmSlS+pFIb3GwGQRmn5khj5xkyQKweMoPvC5Pq+T/F5/2NziJGRj56HYvaiOPfyfzetaw7Zh3I+umMfZ6mtKD7ntYB1EYaqIMhTlAQv8DxS98t19LOke3h5QKcX6SdKeAqAvlqxuYZ5rweNtZsDevtnaFdmDzbve6xbZrtNwAurpZMYC/7tetyH+jFHrcFjDCuMMLdD5t4d8NW50nks71Pofe6KO/8lkzNOjiQwBIUfG+8Y6bAmPiBBr0= + VAULTWARDEN__MASTERPASSWORD: AgBlRRDUcWw8Kq8IJ/dBk1RQwA6jg4VtpDTzU9eRtkdZfBoEI+KnQt2QHtGv7ZMmyCHztRAoJcEWyoN25RMdG4dQQN40IOPBiv7D8e036nQv7rQqZWE7mPPs9veskS+8sE+h3HFlwIEytn4721nHw4DNl2Uwbtgo1rTRRyJ3Px2UoCfnCU1xVtimWhj7uLjf2kPkSvWRUFZFfzSkuMWtiAPDxspk7q8CTktdiUHV6ZsuuIcZfJ1mHkuredVGYpOcrKLJcwGE7Auzn382lILNwkSuiZjt0T+O5A0c406SPVGU/ovofbRgdUQmmIbS+q6y17HMDkwLutdmIyJgqMEPJXR0KfebjzdtaNdSbmL68QsdECqCbQm6Az3uMEOJ8TVm9rH5yfZZoXLMVjzHgwtQbV9vBb0ubMUKdqJahD0zUQ/1FqDtYHt9OBv8bLh8SXiTKNxz2GByHjcGFUNZhZac1eTqmtYxxUhk4KNFsqx7FvJNUi0VTfINvHAd9Tjlrd0vQbST3VgdiIEHcuxW5HShdSnl8o5WXKmEtlecMqB3Y/C6IIPF+CZ6HoMgfE59G2dchnNccSwdZRa0n6OWt3BWJi7fuhrBXvTBpa5Zxrqh6o1VX3k5wXDgBRN7a8pZawhuCXbcBcrhcs+wDm7YlK3Gj3F01dIOGc7qMpdMWUHcUxCikC9Wlnp5b+OKB2huiHWr2p8v0IeOu8MfC65GEkx/dInxW1CkitHsGVA= + template: + metadata: + name: vaultwarden-kubernetes-secrets + namespace: apps-fuku + type: Opaque diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf index 4ff4a0c..a941542 100644 --- a/tofu/authentik/main.tf +++ b/tofu/authentik/main.tf @@ -37,22 +37,6 @@ resource "authentik_group" "arrs" { is_superuser = false } -resource "authentik_group" "vpn" { - name = "vpn" - is_superuser = false -} - -resource "authentik_group" "ftp" { - name = "ftp" - is_superuser = false -} - -resource "authentik_group" "mediamanager" { - name = "mediamanager" - is_superuser = false -} - - module "gitea" { source = "../modules/authentik-oidc" app_name = "Gitea" @@ -181,30 +165,6 @@ module "prowlarr" { internal_host_ssl_validation = false } -module "sftpgo" { - source = "../modules/authentik-oidc" - app_name = "SFTPGo" - app_slug = "SFTPGo" - client_id = var.sftpgo_client_id - client_secret = var.sftpgo_client_secret - client_type = "confidential" - app_access_group_id = authentik_group.ftp.id - redirect_uris = [ - { - matching_mode = "regex", - url = "https://ftp.fukurokuju.dev/.*" - } - ] - extra_property_mappings = [ - - ] - app_icon = "https://ftp.fukurokuju.dev/static/img/logo.png" - access_token_validity = "days=10" - app_url = "https://ftp.fukurokuju.dev" - app_description = "SFTPGo" - sub_mode = "user_username" -} - module "rustical" { source = "../modules/authentik-oidc" app_name = "rustical" @@ -272,3 +232,17 @@ module "pulse" { redirect_uris = [{ matching_mode = "strict", url = "https://pulse.fukurokuju.dev/api/oidc/callback" }] app_access_group_id = authentik_group.admins.id } + +module "cloud" { + source = "../modules/authentik-oidc" + app_name = "Cloud" + app_slug = "cloud" + app_url = "https://cloud.roboces.dev" + client_id = var.oxicloud_client_id + client_secret = var.oxicloud_client_secret + app_icon = "https://cloud.roboces.dev/themes/opencloud/assets/favicon.svg" + redirect_uris = [{ + matching_mode = "strict", url = "https://cloud.roboces.dev/api/auth/oidc/callback" + }] + app_access_group_id = "" +} diff --git a/tofu/authentik/sample.env b/tofu/authentik/sample.env index 31a7461..7230d1f 100644 --- a/tofu/authentik/sample.env +++ b/tofu/authentik/sample.env @@ -18,3 +18,5 @@ TF_VAR_ganymede_client_id= TF_VAR_ganymede_client_secret= TF_VAR_pulse_client_id= TF_VAR_pulse_client_secret= +TF_VAR_oxicloud_client_id=aef61f77326b813cf8d8ba71d1ac994b5642685ca37e4710ab0079e91d87702d55fd9775d473b05aff45603bf08e78dba26850af3a815f3c3ac171d163368aa0 +TF_VAR_oxicloud_client_secret=a4038df17c9fd06f86372aeaaae8f3fd1374d8978983af7b398d948ef15d1efe522a1faa2fc7652bc410c516d96cd2e4211dad4e05ba6297bdd8d9090460d5fc diff --git a/tofu/authentik/vars.tf b/tofu/authentik/vars.tf index f0e5dc2..920d995 100644 --- a/tofu/authentik/vars.tf +++ b/tofu/authentik/vars.tf @@ -88,3 +88,13 @@ variable "pulse_client_secret" { description = "Pulse client secret" type = string } + +variable "oxicloud_client_id" { + description = "Oxicloud client ID" + type = string +} + +variable "oxicloud_client_secret" { + description = "Oxicloud client secret" + type = string +}